Trusted publishing (#7)

* Add .claude and .gitignore

* Use trusted publishing

* Align with other repos

Author: Mark90

.claude/.gitignore

@@ -0,0 +1 @@
+*.local.json

.github/workflows/publish-package.yaml

@@ -4,27 +4,37 @@ on:
   release:
     types: [created]
 
-env:
-  UV_LOCKED: true  # Assert that the `uv.lock` will remain unchanged
-
 jobs:
-  deploy:
-    runs-on: ubuntu-latest
+  build:
+    runs-on: ubuntu-24.04
     steps:
     - uses: actions/checkout@v6
-
-    - name: Install uv and set the python version
-      uses: astral-sh/setup-uv@v7
+    - name: Install uv and set the Python version
+      uses: astral-sh/setup-uv@v8
       with:
-        # It is considered best practice to pin to a specific uv version.
-        version: "0.11.6"
-        python-version: ${{ matrix.python-version }}
-
+        version: "0.11.7"
+        python-version: "3.x"
     - name: Build package
       run: uv build
-
-    - name: Publish package
-      run: uv publish
       env:
-        UV_PUBLISH_USERNAME: ${{ secrets.FLIT_USERNAME }}
-        UV_PUBLISH_PASSWORD: ${{ secrets.FLIT_PASSWORD }}
+        UV_LOCKED: true
+    - name: Upload dist artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: dist
+        path: dist/
+
+  publish:
+    needs: build
+    runs-on: ubuntu-24.04
+    environment: pypi
+    permissions:
+      id-token: write
+    steps:
+    - name: Download dist artifact
+      uses: actions/download-artifact@v4
+      with:
+        name: dist
+        path: dist/
+    - name: Publish package distributions to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1